Cyborg
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
We have two ports: 22 which is running ssh and 80 which is running http
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a file called nmap
Enumeration
Lets visit the webserver
Its a default Apache2 page, lets run gobuster to find hidden directories and files.
There is an admin directory, lets go check it out
Its a website with information about a person, lets explore the website and see what we can find. When you go to the Admins tab, you find this information
Looks like there is a backup called music_archive
. We also get another hit on gobuster
/etc/
directory , this might be config files that Alex was talking about, lets go visit it.
Clicking on the folder we see some interesting files
We have a squid.conf
file and a passwd file. Lets download these to our machine.
Lets check these files out
Looks like a hash, lets crack this using john the ripper
We found a password: squidward
. Lets look at the other file
Doesn't look like anything important. One thing we did not find is the achieve file Alex was talking about, so I went to go look for it and found it here.
Lets download this.
The archive is a tar
file, lets click ok after selecting save file. Now lets check its contents.
We found these files, I went through many of them and many did not make sense except this one.
Looking at this information I went to google and searched on this topic and found this page, which I saw that there were commands we could use, so I went to look for the file with which we can use borg commands, which one of them was GitHub
.
Next I went here as it said that it had recent releases.
I downloaded the Linux file.
Lets list the files , I tried using it when I got this message
And so I downloaded the tool, now lets list the files
Earlier in our enumeration we found a password: squidward
, lets use that.
And it worked, we have an archive file called music_archive
, now lets extract this file too.
Its asks for a password, and I just used the before and it worked.
We extracted a folder called alex
. Navigating through it, I found this file
It has nothing interesting, I also found this file
It has a username and password. Lets try to login with these credentials through ssh.
We are logged in. We can also cat the user.txt
file
Privilege Escalation
Lets run sudo -l
to see what we can run as root.
Looks like we can run this file, lets see what it does.
Looking through it, the getopts is something that is interesting, its a built-in function to parse arguments and options to a bash script according to google. This is the article that after googling. So for a summary, passing the bash script -c
arguments , getopts
will take the command and then parse it to the bash scripts and then executes it. Lets run a bash command.
We are now root, but none of the commands worked.
What we have to do is to add a SUID bit on bash then exiting the shell and using the bash binary to get root on the box and execute commands.
Using these commands we can read the root flag.
Last updated